The Irish Data Protection Commissioner has agreed to investigate allegations that Facebook exposes its users’ personal data to mass snooping by U.S. intelligence services, following a ruling of the High Court of Ireland on Tuesday.
Austrian Facebook user Maximilian Schrems filed a complaint with the DPC in 2013, in the wake of Edward Snowden’s revelations about the U.S. National Security Agency’s PRISM surveillance system.
The DPC initially dismissed the complaint as “frivolous,” a decision Schrems went on to challenge in the Irish high court.
Facebook, the DPC said in 2013, complied with the terms of the so-called Safe Harbor agreement, under which businesses certify that they respect EU data protection legislation when processing data in the U.S., and since that agreement had been made by the European Commission under the terms of the EU directive that also informed Irish law on the matter, there was nothing for the DPC to investigate.
Schrems asked the Irish high court for a judicial review of the DPC’s decision, and the court in turn asked the European Union’s highest court, the Court of Justice of the EU, to rule on whether national data protection authorities had the power to challenge the European Commission’s decision that the Safe Harbor agreement provided sufficient protection under EU law.
Earlier this month, the CJEU responded to the Irish high court’s questions, ruling that national data protection authorities had a duty to investigate complaints even when they concerned a decision of the European Commission.
The CJEU went much further, however, invalidating the Safe Harbor agreement itself.
In a hearing at the Irish high court Tuesday morning, the high court judge quashed the DPC’s decision to dismiss the case, Ireland’s national broadcaster RTE reported.
Irish Data Protection Commissioner Helen Dixon said her office “will now investigate the substance of the complaint with all due diligence.”
The substance of Schrems’ complaint was that Facebook’s transfer of the personal information of its European users, managed by Facebook Ireland, to the U.S. for processing by the parent company, Facebook, did not respect EU and Irish privacy law.
The Safe Harbor agreement under which Facebook and thousands of other companies made such data transfers forbid them from forwarding data to third parties without giving users notice and a choice in the matter. There was an exception for compelling reasons of national security, but Schrems had asked the DPC to investigate whether Facebook’s alleged granting of bulk access to the NSA met that requirement or was voluntary.
The DPC will now have to investigate that and other allegations in Schrems’ original complaint.
Facebook will respond to inquiries from the DPC as part of the investigation, a Facebook representative said, adding: “Facebook is not and has never been part of any program to give the US government direct access to our servers.”